Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 02:14
Static task
static1
Behavioral task
behavioral1
Sample
2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1.xls
Resource
win10v2004-20231127-en
General
-
Target
2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1.xls
-
Size
390KB
-
MD5
13b206b3e79a9d04ff497d128c01df53
-
SHA1
2e17982b433c9e32f25a5fec1707e573563c594f
-
SHA256
2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1
-
SHA512
5af0ed9d1dc21e373a269377fb98e693aab1cc88e5528148e91f885195ada6289a1c3cbad965fb52da6c4b7955ac5770017f8e5a156960de971d28ebe172fcb8
-
SSDEEP
6144:Nn1m9kdb/Gt8b++UXaVXKv6FW2LN6rKTbLfqmYJEgTy:NOeLlS5aVXKv6FhzbLfv2EgTy
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1396 EXCEL.EXE 4976 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4976 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1396 EXCEL.EXE 1396 EXCEL.EXE 1396 EXCEL.EXE 1396 EXCEL.EXE 1396 EXCEL.EXE 1396 EXCEL.EXE 1396 EXCEL.EXE 1396 EXCEL.EXE 1396 EXCEL.EXE 1396 EXCEL.EXE 1396 EXCEL.EXE 1396 EXCEL.EXE 4976 WINWORD.EXE 4976 WINWORD.EXE 4976 WINWORD.EXE 4976 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4976 wrote to memory of 1892 4976 WINWORD.EXE splwow64.exe PID 4976 wrote to memory of 1892 4976 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1396
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD53ac24270f8f096f6e943600737a5d387
SHA1c7700e1e0b01fb39c39a082d5a09efded11a0921
SHA256f786f1a9c5dbf830c36a6892bcddea4b6fe4af9c593ca2ac9ee5734451be6fee
SHA51286d6d80d4803b16b7a0993515ee211c4567e899ad4bb14f3c4e97deae4bd614e47cc406c081ba02a76e9f3d9e1d1e1bd39ebde91a63bbbfd55384f0bbc4a3dbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD5b132521bb683fed118854df6e614762e
SHA1eb41efcf255f7aea443a9070822a25b7f65c118e
SHA25623682cded75f94b6878b2478fa1a3987dcc2a2035f114ea681e6763e71bbab13
SHA5127813d4997dc20c3df532f29c12fdc411378b8a92e634b1f31f4c277ea26ac231dc5540fe850d2582576c3b39a1b470a3022c11c46cf825cc6c9804b873339658
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1238707F-9242-4D6D-ADE8-61C5CF2C4351
Filesize157KB
MD5df177bc8609f6c738299aadb4a6cd090
SHA16725ed58f4ba2a521cdb47306cb5d060b563178a
SHA256f3f34c1f34220b3cdadc7996c4565360ca89c69bfc7d77c5bdf9c26e27c3f2f0
SHA512ffb4e11f154128e867ac37b9db3477e8f6f19c5087c97aff75ba510d15840837a3cc45c1a6cee1b8ac8a7cd160727b14f6a69426b833f3b40cab63408bcfd71e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5524b0de2947a87ae5c821bed745efe2c
SHA186147bbc95f0bbbc236ef59b3f813bc9335c26a8
SHA256d519deee6b1ee1c9a7467e2e31343fa1ffeb00ecb173b08bd9fa22cdeed25aed
SHA512283deba0ca978f9f8b3a6584342b4f60e57b2ad8f624b8b3ad95b6fd000c5dece5aeff8e5a81c69442487e5bddd9d18b3d778f2efa40727794765883b27d7bd5
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD55abcb7fb9a89f0eb80b1a285913e5692
SHA114d050da8538013f94667ed98e087ca1be0bffe3
SHA25616fefff9fc6a99db712339f7c06b4f857d98beec8cef30ab333392239f0cb3de
SHA512f677fa870edc7d9651ee0b024cae538ab7c8c0fedd366a9ba8f6d2c0d67b8b08280cb09d007bd750f1db20a89179666ad1d8034377ca990b637177673fba0552
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z29MWU1J\microsofdecidedtodeleteentirehistorycookiecachefrommypc[1].doc
Filesize50KB
MD55451b82c9d7e98c077b8dc1f667f5b19
SHA15788704528823c1988964a8af9c2056dd42f787b
SHA2561e4cba11fed2e6d17ef029301ae806af502cf79109dd9e70ec220d2d4b497a75
SHA5125e5d5ee9eeaccf07cd2d4662fc1ede32231c04f27bbb66ece835b4c3c5fa18a022a636f6d290ebe613453c6388f53b17ce319b6757288148257c85ad161daeed